The new Account Management Identity, Authentication, Authorization Policies
14
Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/ OIS The new Account Management Identity, Authentication, Authorization Policies ACCU March 9, 2010 IT-OIS
description
The new Account Management Identity, Authentication, Authorization Policies. ACCU March 9, 2010 IT-OIS. Account Management What’s new ?. On 22 November 2010, a new Account Management system was introduced Replacing old CRA system Introduced new policies and concepts Next objectives - PowerPoint PPT Presentation
Transcript of The new Account Management Identity, Authentication, Authorization Policies
Operating Systems & Information Services
CERN IT Department
CH-1211 Geneva 23
Switzerlandwww.cern.ch/
it
OIS
The new Account ManagementIdentity, Authentication, Authorization Policies
ACCU
March 9, 2010
IT-OIS
CERN IT Department
CH-1211 Geneva 23
Switzerlandwww.cern.ch/
it
OIS Account ManagementWhat’s new ?
• On 22 November 2010, a new Account Management system was introduced– Replacing old CRA system– Introduced new policies and concepts
• Next objectives– Medium to long term: policies review– Procedures are being adapted, optimized and
reviewed– Massive cleanup of data and rules being done– Consolidation of all the services involved
CERN IT Department
CH-1211 Geneva 23
Switzerlandwww.cern.ch/
it
OIS IAA Definition
Answer the questions Attributes
Identity “Who are you?” Public assertion
Authentication “Ok, how can you prove it?” Secret response
Authorization “What can I do?” Token or ticketAccess control
• Identity: Human Identity: FOUNDATION (GS/AIS) Computer Identity (accounts): FIM (IT/OIS)
• Authentication: Active Directory, Kerberos, Single Sign-On, LDAP,
SOAP (IT/OIS)• Authorization:
E-Groups to maintain access control lists (GS/AIS)
CERN IT Department
CH-1211 Geneva 23
Switzerlandwww.cern.ch/
it
OIS• Primary account
– Automatically created– Call Service Desk to enable
• Secondary account– Belongs to the user– Deleted when the user leaves CERN
• Service account– Assigned to the user– Can be reassigned– Reassigned to supervisor when user
leaves CERN
Account ModelAccount types
CERN IT Department
CH-1211 Geneva 23
Switzerlandwww.cern.ch/
it
OIS End-User PerspectiveWhat’s new ?
• Actions are either Automated or Self-Service based– The end-user connects to a Self-Service Web Portal
• User Arrival– The Primary account is automatically created– First activation through Service Desk– Follow course and sign OC5 security rules within 5 days maximum
• Account Management– Users can create and manage optional Secondary and Service accounts
through the Web Portal– Ownership of Service accounts can be transferred
• to avoid orphan accounts
• Service Management– Service Management Web page presents to the user a global view of :
• the computing resources he owns, • the list of services he has subscribed to • and the available options for each of them
• User Departure– Service accounts are reassigned to the supervisor - if the user has not
reassigned them proactively.– Account disabled 2 months after departure, deleted after 6 months
Operating Systems & Information Services
User ExperienceSelf Service tools
Operating Systems & Information Services
User ExperienceSelf Service tools
Operating Systems & Information Services
User ExperienceSelf Service tools
Operating Systems & Information Services
User ExperienceSelf Service tools
CERN IT Department
CH-1211 Geneva 23
Switzerlandwww.cern.ch/
it
OIS• Computing Groups were migrated to E-Groups
– Specific Unix/AFS groups• Group administrators decide how to manage their
groups:
– Static membership
– Dynamic criteria
– Both (nested groups)
E-GroupsComputing Groups
CERN IT Department
CH-1211 Geneva 23
Switzerlandwww.cern.ch/
it
OISUsers changing Experiment was not easily covered by the old system• Users can now be member of several
computing groups– When working on several Experiments– No need to create many secondary accounts
• Tools now allow easily to change the primary Computing Group– Permanently, the old remains available anytime– Temporarily
Multiple Computing GroupsNew Feature
CERN IT Department
CH-1211 Geneva 23
Switzerlandwww.cern.ch/
it
OIS Users’ departure policy
• When a user’s contract ends + 2 months:– Primary and secondary accounts disabled– Same policy for everyone– Decreasing to 1 month will increase security
• Supervisor can ask for an extension to the Service Desk– Such a Blocking Exception should become a
new HR feature / status (investigation in progress)
• Decrease exceptions– Understanding the need for exception will help to
cover them with normal procedures.
CERN IT Department
CH-1211 Geneva 23
Switzerlandwww.cern.ch/
it
OIS A few numbers to conclude
• Total: 42264 Accounts• Since FIM started on 22 November:
– 876 Accounts activated• Primary : 555• Secondary : 118• Service : 200
– Primary Accounts activated per month (new persons):• November 2010 : 51• December 2010 : 112• January 2011 : 199• February 2011 : 162• March 2011 : 111
CERN IT Department
CH-1211 Geneva 23
Switzerlandwww.cern.ch/
it
OIS Questions?
